4 files changed, 90 insertions, 29 deletions

diff --git a/app/models/gpg_key.rb b/app/models/gpg_key.rb
index 6ca108d6b87..ec30658e7ea 100644
--- a/app/models/gpg_key.rb
+++ b/app/models/gpg_key.rb
@@ -53,6 +53,10 @@ class GpgKey < ActiveRecord::Base
     emails_with_verified_status.any? { |_email, verified| verified }
   end
 
+  def update_invalid_gpg_signatures
+    Gitlab::Gpg::InvalidGpgSignatureUpdater.new(self).run
+  end
+
   private
 
   def extract_fingerprint
@@ -67,10 +71,6 @@ class GpgKey < ActiveRecord::Base
     self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first
   end
 
-  def update_invalid_gpg_signatures
-    run_after_commit { Gitlab::Gpg::InvalidGpgSignatureUpdater.new(self).run }
-  end
-
   def notify_user
     run_after_commit { NotificationService.new.new_gpg_key(self) }
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index 5aebd36cf8a..791d099605d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -155,6 +155,7 @@ class User < ActiveRecord::Base
   before_validation :set_public_email, if: :public_email_changed?
 
   after_update :update_emails_with_primary_email, if: :email_changed?
+  after_update :update_invalid_gpg_signatures, if: :email_changed?
   before_save :ensure_authentication_token, :ensure_incoming_email_token
   before_save :ensure_user_rights_and_limits, if: :external_changed?
   after_save :ensure_namespace_correct
@@ -513,6 +514,10 @@ class User < ActiveRecord::Base
     end
   end
 
+  def update_invalid_gpg_signatures
+    gpg_keys.each(&:update_invalid_gpg_signatures)
+  end
+
   # Returns the groups a user has access to
   def authorized_groups
     union = Gitlab::SQL::Union
diff --git a/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
index 48f8fa285aa..42348b3f2c1 100644
--- a/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
+++ b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
@@ -2,37 +2,39 @@ require 'rails_helper'
 
 RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
   describe '#run' do
-    context 'gpg signature did not have an associated gpg key' do
-      let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
-      let!(:project) { create :project, :repository, path: 'sample-project' }
-      let!(:commit) do
-        raw_commit = double(:raw_commit, signature: [
-          GpgHelpers::User1.signed_commit_signature,
-          GpgHelpers::User1.signed_commit_base_data
-        ], sha: commit_sha)
-        allow(raw_commit).to receive :save!
-
-        create :commit, git_commit: raw_commit, project: project
-      end
+    let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
+    let!(:project) { create :project, :repository, path: 'sample-project' }
+    let!(:commit) do
+      raw_commit = double(:raw_commit, signature: [
+        GpgHelpers::User1.signed_commit_signature,
+        GpgHelpers::User1.signed_commit_base_data
+      ], sha: commit_sha)
+      allow(raw_commit).to receive :save!
 
-      let!(:gpg_signature) do
-        create :gpg_signature,
-          project: project,
-          commit_sha: commit_sha,
-          gpg_key: nil,
-          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
-          valid_signature: false
-      end
+      create :commit, git_commit: raw_commit, project: project
+    end
 
-      before do
-        allow(Gitlab::Git::Commit).to receive(:find).with(kind_of(Repository), commit_sha).and_return(commit)
-      end
+    let!(:gpg_signature) do
+      create :gpg_signature,
+        project: project,
+        commit_sha: commit_sha,
+        gpg_key: nil,
+        gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+        valid_signature: false
+    end
+
+    before do
+      allow(Gitlab::Git::Commit).to receive(:find).with(kind_of(Repository), commit_sha).and_return(commit)
+    end
+
+    context 'gpg signature did not have an associated gpg key' do
+      let!(:user) { create :user, email: GpgHelpers::User1.emails.first }
 
       it 'updates the signature to being valid when the missing gpg key is added' do
         # InvalidGpgSignatureUpdater is called by the after_create hook
         create :gpg_key,
           key: GpgHelpers::User1.public_key,
-          user: create(:user, email: GpgHelpers::User1.emails.first)
+          user: user
 
         expect(gpg_signature.reload.valid_signature).to be_truthy
       end
@@ -41,7 +43,41 @@ RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
         # InvalidGpgSignatureUpdater is called by the after_create hook
         create :gpg_key,
           key: GpgHelpers::User2.public_key,
-          user: create(:user, email: GpgHelpers::User2.emails.first)
+          user: user
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+      end
+    end
+
+    context 'gpg signature did have an associated unverified gpg key' do
+      let!(:user) do
+        create(:user, email: 'unrelated@example.com').tap do |user|
+          user.skip_reconfirmation!
+        end
+      end
+
+      it 'updates the signature to being valid when the user updates the email address' do
+        create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+
+        # InvalidGpgSignatureUpdater is called by the after_update hook
+        user.update_attributes!(email: GpgHelpers::User1.emails.first)
+
+        expect(gpg_signature.reload.valid_signature).to be_truthy
+      end
+
+      it 'keeps the signature at being invalid when the changed email address is still unrelated' do
+        create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+
+        # InvalidGpgSignatureUpdater is called by the after_update hook
+        user.update_attributes!(email: 'still.unrelated@example.com')
 
         expect(gpg_signature.reload.valid_signature).to be_falsey
       end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 20bdb7e37da..14b0440af9c 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -350,6 +350,26 @@ describe User, models: true do
     end
   end
 
+  describe 'after update hook' do
+    describe '.update_invalid_gpg_signatures' do
+      let(:user) do
+        create(:user, email: 'tula.torphy@abshire.ca').tap do |user|
+          user.skip_reconfirmation!
+        end
+      end
+
+      it 'does nothing when the name is updated' do
+        expect(user).not_to receive(:update_invalid_gpg_signatures)
+        user.update_attributes!(name: 'Bette')
+      end
+
+      it 'synchronizes the gpg keys when the email is updated' do
+        expect(user).to receive(:update_invalid_gpg_signatures)
+        user.update_attributes!(email: 'shawnee.ritchie@denesik.com')
+      end
+    end
+  end
+
   describe '#update_tracked_fields!', :clean_gitlab_redis_shared_state do
     let(:request) { OpenStruct.new(remote_ip: "127.0.0.1") }
     let(:user) { create(:user) }